As games grow in popularity, they also become attractive targets for malicious actors seeking to disrupt gameplay through Distributed Denial of Service (DDoS) attacks.
An attack occurring during the initial launch of a game, during a visible esports tournament, or while a notable influencer/streamer is playing can have a significant impact on a game’s success and its developer’s reputation.
To address the specialized needs of protecting game servers, Amazon Web Services (AWS) is introducing Amazon GameLift Servers DDoS Protection, a new feature that enables game developers to protect against malicious attempts to disrupt User Datagram Protocol (UDP)-based traffic to a game server hosted on Amazon GameLift Servers.
Unlike traditional DoS/DDoS protection methods for session-based multiplayer games, which react to an attack by finding the single instance that is being impacted and then applying a mitigation, Amazon GameLift Servers DDoS Protection provides always-on, UDP-based DDoS protection for game servers, without the need for manual byte matching, and with negligible latency added.
The new feature is available at no additional cost to Amazon GameLift Servers customers, and it will be initially available in the following regions: US East (N. Virginia), US West (Oregon), Europe (Frankfurt), Europe (Ireland), Asia Pacific (Sydney), Asia Pacific (Tokyo), Pacific (Seoul).
The Challenge: DDoS Attacks in Modern Gaming
DDoS attacks have become one of the most persistent threats facing multiplayer games. Traditional mitigations are typically reactive in nature since they monitor incoming attacks, and then automatically implement a mitigation when the attacks are detected. Attacks can take multiple minutes to detect and multiple additional minutes for mitigations to take effect. By the time mitigations are in place, players may have abandoned their game sessions or even been forcibly disconnected due to the network interface on the instance saturating.
Traditional mitigations are not purpose-built to proactively address attacks on game servers at scale, and they are not designed to handle UDP-based traffic and may require more complex integrations such as managing rotating byte match patterns. Additionally, the mitigations used to protect game servers often result in increased latency and may require updates if attackers find new ways to bypass defenses. Finally, some offerings only support a single game platform (such as PC games exclusively), resulting in developers needing multiple implementations to support multi-platform games.
The Solution: Purpose-built Protection for Game Servers
Amazon GameLift Servers DDoS Protection provides an advanced layer of protection for games running on Amazon GameLift Servers by co-locating a relay network directly alongside the game servers that authenticate clients traffic using access tokens to ensure only authorized traffic reaches the server. In addition, even if the source of an attack presents itself as legitimate, the DDoS Protection feature has per-player traffic limits to further prevent disruptions.
By connecting players to a relay instead of the game server directly, this feature provides IP obfuscation and DDoS protection while maintaining a negligible increase in latency. To maximize resilience, players receive multiple relay endpoints, and connections are distributed across the infrastructure to prevent targeted disruptions against specific players or the entire game session.
